EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Mistake in my TElCertificateRequest.Generate? Object has zero length.

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#15916
Posted: 02/26/2011 07:43:57
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

Hi,

I think I have made a mistake somewhere when I am creating a Certificate Signing Request (CSR) because when I produce then check this file (also attached)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICxzCCAa8CAQAwgYExCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdyZWdpb241MQ4w
DAYDVQQHEwVjaXR5NTERMA8GA1UEChMIY29tcGFueTUxFDASBgNVBAsTC2RlcGFy
dG1lbnQ1MRAwDgYDVQQDEwdkb21haW41MRUwEwYJKoZIhvcNAQkBFgZlbWFpbDUw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtS2cczjA1AOOdbq2SEewA
qVyWxKlFUpCF2osrfA2JN2J4+Vz5D38OrfTOsb0VdjS/jZFMvn7VW3W2KJmHMFNr
558ybEdVOlXkzJ5dj6l70akNFkhO3K0zuQe7y9D1otE84UK73BEC5QA2V+kdkka7
+/T+NhF8QLXiYC2SXBjC7TvKAzUrVJWpXA4LRknfqK2my2+E2M/5+3eKdbQC1RiD
oc+w1zMgCE6YIweXIlZ/dEGASBbWfYbG6lzS2xkoyLyNJv7R87lzGaOrf6zqRMKs
3DsL/UqNLLfsLEL1r2OBjS+hzJeg0oWg0HF5wgz8rlkJzImc97jto/WNlSYD2xXH
AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAjYqyXshKOhhHyPDrw5XNTIWmaVSi
qzwGODlgLn7Zcbr5i2pB/28uJyn1AchDXRlAzug3HQWcbBsGkvRL+pXcZ4ApMrD8
HEyACAxBKgQCtsq/DANvMVizbNwpcyiIwPXhuJdIKYHDKvH8/o/m8GFBMjgbYLHi
kCH7KXkQvHTlSfqcI/qanINnQUoHrMfIXU6GLfeQxP2OEy3ECLdOQH0OPhCk0Bgr
EEWzlQThaIN+nQz+AFBrL2KC/tcVAk7hFr0+DwqxxqO9eMONuYjdyRo4wHaal0eR
BwoRiAJNrsoKXLB8CEJDkOyuhKVO+NIfec2dWBxSbdV32ktdAUqpNCn5bw==
-----END NEW CERTIFICATE REQUEST-----

using the online decoder here

http://certlogik.com/decoder/

I get the error message "Error: Object has zero length" see below. Also when I do

openssl asn1parse -in csr5.pem

I get the message "Error in encoding 284:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:./crypto/asn1/asn1_lib.c:150:" which looking at the OpenSSL source seems to be able to be produced by specifying zero as a length, so is probably the same error.

My code looks approximately like this:

FRequest: TElCertificateRequest;
procedure GenerateCSR;
var
Algorithm, Hash, KeySize: integer;
begin
with FRequest.Subject do begin
Count := 7;
Values [0] := 'US';
OIDs [0] := SB_CERT_OID_COUNTRY;
Values [1] := edRegion.Text;
OIDs [1] := SB_CERT_OID_STATE_OR_PROVINCE;
Values [2] := edCity.Text;
OIDs [2] := SB_CERT_OID_LOCALITY;
Values [3] := edCompanyName.Text;
OIDs [3] := SB_CERT_OID_ORGANIZATION;
Values [4] := edDepartment.Text;
OIDs [4] := SB_CERT_OID_ORGANIZATION_UNIT;
Values [5] := edDomainName.Text;
OIDs [5] := SB_CERT_OID_COMMON_NAME;
Values [6] := edEMail.Text;
OIDs [6] := SB_CERT_OID_EMAIL;
end;
Algorithm := SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION;
Hash := SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION;
KeySize := 2048;
FRequest.Generate(Algorithm, KeySize, Hash);
end;

Can anyone point out what I am doing wrong? Or suggest something I could try. Thank you.

The online checker gives this output:

0 711: SEQUENCE {
4 431: SEQUENCE {
8 1: INTEGER 0
11 129: SEQUENCE {
14 11: SET {
16 9: SEQUENCE {
18 3: OBJECT IDENTIFIER countryName (2 5 4 6)
23 2: PrintableString 'US'
: }
: }
27 16: SET {
29 14: SEQUENCE {
31 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
36 7: PrintableString 'region5'
: }
: }
45 14: SET {
47 12: SEQUENCE {
49 3: OBJECT IDENTIFIER localityName (2 5 4 7)
54 5: PrintableString 'city5'
: }
: }
61 17: SET {
63 15: SEQUENCE {
65 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
70 8: PrintableString 'company5'
: }
: }
80 20: SET {
82 18: SEQUENCE {
84 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
89 11: PrintableString 'department5'
: }
: }
102 16: SET {
104 14: SEQUENCE {
106 3: OBJECT IDENTIFIER commonName (2 5 4 3)
111 7: PrintableString 'domain5'
: }
: }
120 21: SET {
122 19: SEQUENCE {
124 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
135 6: IA5String 'email5'
: }
: }
: }
143 290: SEQUENCE {
147 13: SEQUENCE {
149 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
160 0: NULL
: }
162 271: BIT STRING
: 30 82 01 0A 02 82 01 01 00 ED 4B 67 1C CE 30 35
: 00 E3 9D 6E AD 92 11 EC 00 A9 5C 96 C4 A9 45 52
: 90 85 DA 8B 2B 7C 0D 89 37 62 78 F9 5C F9 0F 7F
: 0E AD F4 CE B1 BD 15 76 34 BF 8D 91 4C BE 7E D5
: 5B 75 B6 28 99 87 30 53 6B E7 9F 32 6C 47 55 3A
: 55 E4 CC 9E 5D 8F A9 7B D1 A9 0D 16 48 4E DC AD
: 33 B9 07 BB CB D0 F5 A2 D1 3C E1 42 BB DC 11 02
: E5 00 36 57 E9 1D 92 46 BB FB F4 FE 36 11 7C 40
: [ Another 142 bytes skipped ]
: }
437 0: [0]
: Error: Object has zero length.
: }
439 13: SEQUENCE {
441 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
452 0: NULL
: }
454 257: BIT STRING
: 8D 8A B2 5E C8 4A 3A 18 47 C8 F0 EB C3 95 CD 4C
: 85 A6 69 54 A2 AB 3C 06 38 39 60 2E 7E D9 71 BA
: F9 8B 6A 41 FF 6F 2E 27 29 F5 01 C8 43 5D 19 40
: CE E8 37 1D 05 9C 6C 1B 06 92 F4 4B FA 95 DC 67
: 80 29 32 B0 FC 1C 4C 80 08 0C 41 2A 04 02 B6 CA
: BF 0C 03 6F 31 58 B3 6C DC 29 73 28 88 C0 F5 E1
: B8 97 48 29 81 C3 2A F1 FC FE 8F E6 F0 61 41 32
: 38 1B 60 B1 E2 90 21 FB 29 79 10 BC 74 E5 49 FA
: [ Another 128 bytes skipped ]
: }
#15917
Posted: 02/28/2011 01:48:34
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Try to generate a CSR using our demo that can be found in \EldoS\SecureBlackbox\Samples\Delphi\PKIBlackbox\CertRequest
#15918
Posted: 02/28/2011 02:59:37
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

Hi Vsevolod,

Thank you. That helped me. I did start from the CertRequest demo but I have been modifying and simplifying it for my use. The original does work with the RSA, SHA256 and 2048 bits like I have shown above so I must have changed something else that has made it produce the error. I will track down what I have broken and update this thread when I find it.

db7ws
#15919
Posted: 02/28/2011 08:24:58
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

What I have found is that OpenSSL sometimes says "header too long" when I produce a CSR file and do an asn1parse of it and sometimes it does not. This tricked me into thinking I had a version of the program that was working properly. (I am currently reluctant to wipe and reinsall Secure Blackbox to test the original clean version of the demo.) All the examples I have tried do seem to consistently give an error message in the online checker. Example below which does not produce an error in OpenSSL but does produce an error in the online checker.

The problem seems to be with the 'Attributes' between RSA public key and the Signature Algorithm being empty. I do not know what these are meant to contain.


-----BEGIN NEW CERTIFICATE REQUEST-----
MIICtjCCAZ4CAQAwcTELMAkGA1UEBhMCVVMxDzANBgNVBAgTBnN0YXRlNzENMAsG
A1UEBxMEbG9jNzENMAsGA1UEChMEb3JnNzEOMAwGA1UECxMFb3JndTcxDDAKBgNV
BAMTA2NuNzEVMBMGCSqGSIb3DQEJARYGZW1haWw3MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAm6Nzs/gczi7xbsYF63NXgVkCm+9HyrbUwLp1iJdKnU+1
njt4fCJZBzVc7ImlPPQdDXWKhtwVz8TbaBRt1VYpFDGpWp+p3LbtLy8IuzQLKiI3
GHx8Xfd1BfBlqC6O84SlikrMHmrxhoVfJv7ApzNtMqtd4xLGzpqBTlNgwwto9lfP
aSMWuVqkg08uQ+NBrPYKdntk+1bG33Z+Wg7oogJi+XPQBwKwmrs8AqzPKlKEDbvI
o1RWqH/KovEkuqKZIJQt4FUbdAEVyw6R3lTJGSvZNkhP8ijFAD5Co+JUQfxFfVNW
dhE1an5dgCBx5rmpxRMaSAzKyIkyzGo2UpXV1BOImwIDAQABoAAwDQYJKoZIhvcN
AQELBQADggEBAI42oZorhiYe5BluhDFXm6c7ud0mSZfIGymesPnS1zhEEfQFSF7V
uc1nUlf+X0d2ybN6KM8Gbp+r34Zulm7VL/q7x3ObO75l1PllTB9X09HE358AkGKN
Nx5SJ3JEAQqmnrr41Qgvt5d6aLqLQ8XjiCtzLF0/VKdyG6RKkpLocfXXFHiSLMSV
x+J6wTBlchkrsk/0ygsJ0xNyU9xUIMr3Fm6+Ou40fGdkvpdTEnwRUClPv5ixYUbP
ZNUtRJGBLIdAyNp99gEs1TCRsbckQ293sCc8C1Z8ZoWe5L19s5d5y/wdSdojfW/X
KponmuJnubGmC8PmXiX2P9hFSvNPvkkhuHQ=
-----END NEW CERTIFICATE REQUEST-----
#15920
Posted: 02/28/2011 08:57:43
by Vsevolod Ievgiienko (EldoS Corp.)

Attributes field is a collection of attributes providing additional information about the subject of the certificate (see RFC2986 for details).

Attributes field is optional, so it is normal that "Object has zero length". You can add attributes using ElCertificateRequest.Attributes property.
#15921
Posted: 02/28/2011 09:10:18
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

Hi Vsevolod,

Thank you. I have just been experimenting. If I comment out your line

Lst.Add(WriteAttributes);

from your

function TElCertificateRequest.WriteCertificationRequestInfo: BufferType;

and produce a CSR the file will go through an OpenSSL asn1parse and it goes through the online checker without producing any errors. Example below. Maybe it is better when there are no attributes to do this? I am only guessing, I have not read the standard.

db7ws


-----BEGIN NEW CERTIFICATE REQUEST-----
MIICxTCCAa0CAQAwgYExCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdyZWdpb244MQ4w
DAYDVQQHEwVjaXR5ODERMA8GA1UEChMIY29tcGFueTgxFDASBgNVBAsTC2RlcGFy
dG1lbnQ4MRAwDgYDVQQDEwdkb21haW44MRUwEwYJKoZIhvcNAQkBFgZlbWFpbDgw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHOc09Zcw0UwC8emtDTRAf
F1wZEc9szrH31LEqgBb+vVTD2J7jT5X8bAkFdW8bSTguFcbz328xSTsSXDFT9YWd
wU/uenQmkIdE7jTZ1N0dkIeNDrE4O/1C65E/84okUfXSQHKaQZLZFgrQAi6B+Fko
E85JRNj6STaOPRIiggjeHSrJ2sXEJ6WpnurZeH0fZ54mwRB1WlT+Vvi1rpc+mIIl
MezJBkf28iOc4OX84Wy9VpuuiVwgvwwNeriXli+6DD9jNEFNCLCtFgKwnVixfutz
wYU5TtVMaqvz+2llhIsZhajnMXuF17V5+J5VoY5ZeZ9WvbSQDAb7T3NMvi/XZdyX
AgMBAAEwDQYJKoZIhvcNAQELBQADggEBABuzJnLypp68yArOW+/0K61XAhvmGvb5
dV2/COTLkxnuFUn9cWUlLTJQhPZYZa6Vj8B5ZHIOJbxyayVeEH3kbHgIhceAX52i
xwEBM/CE1Gwm9teULHLGts1TAeFWDpk/lDd+tXAAuQQFUys4isieFqRBuGfCORdb
a9cBlDmlCY9zUJJv5WaJQKjLR7A9RspJeIHu64Kn2bcksX+ddodTBZ4aFDSVCwMa
fqZnAgv817HjTCD0dnqGVGQ9vtqc7Ut/mWSiguBUXxUJhHPNyKIW0cGREmBi9LqP
1epA2U6rnJM4vhBVEDvLIdS/njYYPWIYYFS1pAH8TJYylt0tJFbHmZg=
-----END NEW CERTIFICATE REQUEST-----
#15922
Posted: 02/28/2011 09:13:06
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for your investigation.

We will check the TElCertificateRequest source and fix it if there are any bugs there.
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 2515 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!